Twitter Got Lucky With the Great Bitcoin Heist
The social media giant’s security failures could have allowed far more damage.
There is no such thing as getting rich quick. But times are tough, and people are desperate. Tell the powerless that there’s a magic trick to winning that the big guys aren’t telling you about, and you’ll get them in—or enough of them to be worth trying. And that’s particularly easy on a platform like Twitter, which mixes worryingly weak security with massive reach. It’s even easier when you throw in Bitcoin; its pool of adherents who have long mixed credulity, scamming, and a near-magical belief in the cryptocurrency’s policies; and Twitter’s long-standing tolerance for those scams.
On Wednesday afternoon, multiple accounts on Twitter began posting the same message: Send bitcoins to the address in the tweet, and you’ll get back double the bitcoins! Initial tweets claimed to be linked to a fake charity, Crypto for Health.
The first wave of scam tweets went out from small Twitter accounts and then cryptocurrency CEOs. A second wave went out from celebrities and politicians with Twitter accounts that had been verified as authentic—including Elon Musk, Kanye West, Jeff Bezos, Bill Gates, Joe Biden, and Barack Obama. Donald Trump wasn’t hit, as his account has extra protections after previous attacks.
Twitter seemed powerless to stop the tweets; for a short time, the platform even disabled all verified accounts. Eventually, the perpetrator was found to be working via compromised Twitter employee accounts, using an internal administrative console that was widely accessible inside the company. Twitter said it would be restricting access to the tool in question.
All scams are old scams. The words “double your money” are perfectly designed to catch the eye of the gullible. These days, money moves at the speed of light. So the scams work as a widely spammed numbers game: If you come up with something that looks like an obvious scam, only the gullible respond.
Bitcoin was designed to be unstoppable electronic money, with no central controller. Nobody can stop you sending your bitcoins anywhere you want to, and transactions are irreversible by design—a feature that was argued to be one of Bitcoin’s advantages.
Bitcoin doublers have been around since bitcoins could first be exchanged for real money—and earlier versions of the doubling scam ran in online games, such as “ISK doublers” in Eve Online or “coin doublers” in RuneScape. Send in a small amount of bitcoins, and you’ll get double the coins back! Send a larger amount straight after, and you won’t.
No reason is given for why anyone would just double your money. You’d think people would catch on, but, years later, this scam keeps popping up and finding suckers.
After the scam runs for the first time, there’s often a second layer: The doubler never sends back coins. But the doubling site is publicized with a “warning” about the scam. Others think: “If I only send coins once, the site will never see me as a repeat user!” They send in a small amount of coins—and never get anything back, even once. Like all the best scams, it’s a scam that relies on the sucker thinking they’re the scammer.
Fraud, crime, and ransomware make up a significant part of all Bitcoin usage. A payment channel having substantial—and, worse yet, famous—criminal usage is a serious problem. Many banks are reluctant even to let Bitcoin users bank with them because dirty money is pervasive in the crypto-trading system, with no easy way to sort out what’s clean. E-Gold, which let you quickly send dollars online, did not verify account holders’ identities—and became famous for criminal use, eBay auction fraud, and internet-based Ponzi schemes. E-Gold was shut down in 2007, and the founder pleaded guilty to unlicensed money transmission and conspiracy to engage in money laundering.
But more worrying than Bitcoin’s problems are Twitter’s. The social media platform has let coin doubling scams for Ethereum, another prominent cryptocurrency, run rampant for the past few years. Tweet with an avatar and a display name imitating some famous person, saying you’ll double people’s ether. Add some replies thanking the famous person for the money. These could pull in up to $5,000 a day in ether. Ethereum’s creator, Vitalik Buterin, eventually added “Not giving away ETH” to his Twitter display name for a time.
Elon Musk has long been another favorite target—to the point where Twitter would stop users from changing their display name to “Elon Musk.” One 2018 Musk scam pulled in $180,000 in bitcoins.
Twitter has been slow to move on these scams in the past. But arguably it got lucky this time around because this Bitcoin hacker was so startlingly unimaginative. The hacker took control of an administrative panel giving full control over almost every account on Twitter’s service. They could post anything they liked to hugely popular verified Twitter accounts, for important and powerful people. The hacker could have influenced markets and politics with carefully applied tweets—and the first thing they did with this power was to run a Bitcoin scam.
In 2013, an attacker took over the Associated Press Twitter account and posted that the White House had been bombed and Barack Obama injured and Wall Street flash-crashed. The present attacker could have hit just Musk’s account and crashed and short-sold Tesla stock, obscured among all the other Tesla short-sellers.
The present Twitter scammer used this amazing power to make approximately $110,000 worth of bitcoins—as visible on the public Bitcoin blockchain, which shows all transactions. This is assuming that the scammer didn’t recirculate bitcoins into the scam, to make it look as though coins were being sent in and double the coins were then sent out. Even a fake charity tweet asking for wire transfers would have netted more than the hacker managed.
Some speculated that the attack was the hacker marketing themselves, by demonstrating what they could do. But burning their own attack mechanism in a way that makes international news—and that hit the sort of people who have a Secret Service detail, thus attracting the utmost attention of the authorities—suggests instead that the hacker was just not very bright. Throw in the possibility of law enforcement using Bitcoin’s open transactions to help trace the thieves, as happened in the Silk Road case, and the chance that this is somebody who got lucky, rather than an unknown genius, is high.
Scams are a natural byproduct of Bitcoin. The real issue is Twitter’s responsibility. Twitter has been asked previously to block cryptocurrency addresses from being tweeted, which would have nipped the scam in the bud. Twitter has acknowledged it allowed far too many employees full access to an all-powerful administrative console. This was a systemic failure.
Other people’s personal data requires controls as strong as the controls on other people’s money. Twitter now has to earn back the trust of the verified celebrity posters it relies on to lure mundane users to the platform—and of politicians, who are already asking pointed questions. Twitter must review its internal controls and release a full root cause analysis. Government services that use Twitter, which in the United States now span from the presidency on down to local police forces and fire departments, need to rethink how they approach the platform if it doesn’t show massive improvement. Wednesday’s shenanigans, for instance, locked down a local National Weather Service account—in the middle of a tornado warning.
The Bitcoin subculture is as certain as ever that any publicity is good publicity. Tyler Winklevoss, of The Social Network fame, and his brother run the cryptocurrency exchange Gemini, whose Twitter account was one of those compromised. Winklevoss tweeted: “Bitcoin is trending.” Never mind that it was trending because of massive fraud.
Twitter can’t afford to be as delusional. This disaster could have ended the company. It was lucky to have such an attacker so unimaginatively committed to a deeply fraudulent currency this time. It can’t expect to be so lucky next time.